Technical Papers

Here you will find a range of papers aimed at system administrators and security specialists on a variety of topical issues. Some of these papers have been presented at security seminars and technical conferences around the world.

The notorious PlugX APT group is continuing to evolve and launch campaigns, most recently a five-month-long campaign targeting organizations in India. PlugX now uses a new backdoor technique – hiding the payload in the Windows registry instead of writing it as a file on disk – according to this new technical paper from SophosLabs Principal Researcher Gabor Szappanos. Although not unique to PlugX, this backdoor approach is still uncommon and limited to a few relatively sophisticated malware families.

Many highly effective hacking groups associated with malware and advanced persistent threats (APTs) appear to lack an understanding of the technical exploits they use. They also fail to adequately test their exploits for effectiveness before unleashing them on their victims. Gabor Szappanos of SophosLabs Hungary evaluated the malware and APT campaigns of several groups that all leveraged a particular exploit — a sophisticated attack against a specific version of Microsoft Office. Gabor details how none of the groups he analyzed were able to modify the attack enough to infect other versions of Office, even though several versions were theoretically vulnerable to the same type of attack.

In this paper we will highlight the main infection vectors for Vawtrak. We will describe how it gains control on an infected machine and what functionality it is capable of. We will then demonstrate how that functionality is being used, what organisations are being targeted and how the mechanisms that are employed vary between targeted banks and targeted geographies. Finally we will show how the Vawtrak botnet is apparently being used as part of a Crimeware-as-a-Service (CaaS) business model where the output of the botnet can be adjusted on demand, with financial data effectively being stolen to order.

This technical paper by SophosLabs Principal Researcher Gabor Szappanos explores the malware campaign called Rotten Tomato, in reference to the Tomato Garden campaign - and because some of the samples were rotten in the sense that they were not effectively executed - and shows how several different groups used the same zero-day Microsoft Word exploit. The term "used" means that they somehow get hold of a document that exploited the vulnerability, and then left the exploiting document part and the shellcode intact, and only changed the appended encrypted executable at the end.

This document is an overview of work done to attempt to rank some commonly used analytically-focused database technologies against our currently used infrastructure and traditional data storage approaches. We will attempt to improve our current systems based on the work done here which will enable us to make an informed decision as to which technology to adopt in the future.

In this paper, presented at the Virus Bulletin 2013 conference in Berlin, independent researcher Paul Baccas documents some pitfalls of the ﬁle formats that make detection problematic, with particular attention placed on high-profile attacks using Microsoft vulnerability CVE-2012-0158. Baccas used tools based on the proprietary Sophos Virus Description Language (VDL) in this research.

This paper by SophosLabs researcher Rowland Yu, presented at the Virus Bulletin 2013 conference in Berlin, gives an overview of three generations of the GinMaster family, examines their core malicious functionality, tracks their evolution from source code, and presents notable techniques utilized by speciﬁc variants.

This paper by SophosLabs researchers Vanja Svajcer and Sean McDonald introduces a structured PUA taxonomy for mobile apps, which can be applied both by security vendors and by mobile app developers. It was presented at the Virus Bulletin 2013 conference in Berlin.

Ransomware may often be compared to fake antivirus in the way it operates and the motivation behind it. However, fake antivirus plays on the security fears and calls for the user to take actions in self-preservation, whereas ransomware works either as extortion or punishment. This paper describes in detail our findings about the motivations, strategies and techniques utilized in creating and propagating ransomware.

The first part of this paper concluded in the deobfuscation of the server code which, while not complete, was still sufficient for a general understanding of the operation. It enabled us to follow the procession of the events both from the client and server side. The client side events we have already documented in detail. This paper attempts to fill in the missing server side piece.

Without exception the most actively deployed exploit kit in the past year was the Blackhole exploit kit. Now that the much heralded 2.0 version of the kit is out, it is safe to gradually release information about the previous 1.x version. The first portion of this paper will concentrate on the stolen 1.0.2 version of the exploit kit. A more comprehensive version of this material was published in the October issue of the Virus Bulletin magazine.

Since our last paper on ZeroAccess the authors have made significant changes. In this paper we will examine those changes and take a closer look at the ZeroAccess botnet itself, exploring its size, functionality and purpose. We will explain in detail how the peer-to-peer protocol works, what network traffic is created, and how the bot phones home during installation. Then we will examine the plugin files that the botnet downloads: what these files are, what they do and how they work.

In this paper we will explore the ZeroAccess threat; from the distribution mechanisms used to spread it, through the installation procedure, memory residence and payload. We examine how ZeroAccess works and what its ultimate goal is.

In this paper, we study the evolution of FakeAV over the last three-and-a-half years. We analyze the major FakeAV events, infection vectors and some important anti-emulation/anti-reverse engineering (RE) tricks used by FakeAV packers.

New rootkits always garner attention from the malware research community and often panic among end-users. This paper dissects the workings of Popureb and explains how to safely restore affected computers to their original state.

This paper will explore the various components of the Zeus kit from the Builder through to the configuration file; examine in detail the functionality and behaviour of the Zbot binary; and assess emerging and future trends in the Zeus world.

Fraser Howard and Onur Komili of SophosLabs describe in this paper recent research by SophosLabs into how attackers are using blackhat Search Engine Optimization (SEO) techniques to stuff legitimate websites with content designed to rank highly in search engine results, yet redirect users to malicious sites.

In this paper Dmitry Samosseiko of SophosLabs Canada discusses and analyzes the Russian 'partnerka' networks, their economic model, and their relation to spam and malware. It will reveal some ‘insider’ statistics and information, show the tools used for ‘black SEO’ (search engine optimizations), and explain its terminology and techniques. This technical paper also discusses how traditional email spam evolved into a complex web-based industry, creating new challenges for law enforcement, user education and for security labs.

This paper was presented at the Virus Bulletin Conference in Geneva, 2009.

This paper describes the steps that Mac users can take to improve the physical security of their laptops — away from the safety of the corporate environment with its security controls and into new environments with new risks and threats — discussing the context and benefits of each change.

In this updated paper Fraser Howard, principal virus researcher at Sophos, discusses some of the common ways that web servers are attacked, the reasons why they are targeted, and details various techniques in which they — and the websites they host — can be protected.

In this paper, Fraser Howard, principal virus researcher at Sophos, explores how modern malware uses the web to infect victims. The increased use of compromised websites in attacks is discussed and illustrated with examples of real attacks. Finally, methods to defend against such attacks are discussed.

This paper analyses the many modern anti-anti-spam techniques, with statistical reports and real-life examples. Methods of combating these often highly effective and 'popular' spam techniques are explored.

Leading anti-malware expert, Paul Ducklin, addresses the following questions: can strong authentication (especially so-called two factor authentication) sort out phishing and fraud? Will smarter technology leave us safe from organized crime, or are there aspects of phishing and on-line fraud which will allow the bad guys to keep stealing from unfortunate victims no matter what we do?

In this paper, Jason Bruce, Detection Development Manager at SophosLabs, discusses scanning techniques for detecting and removing threats that have been installed on computers, with a focus on the difficulties faced in removing threats that are comprised of many installed components. Jason concludes by highlighting that the measure of success of threat removal is not always as clear cut as the measures used in the detection tests the industry has become used to.